1package middleware 2 3// Ported from Goji's middleware, source: 4// https://github.com/zenazn/goji/tree/master/web/middleware 5 6import ( 7 "net/http" 8 "strings" 9) 10 11var xForwardedFor = http.CanonicalHeaderKey("X-Forwarded-For") 12var xRealIP = http.CanonicalHeaderKey("X-Real-IP") 13 14// RealIP is a middleware that sets a http.Request's RemoteAddr to the results 15// of parsing either the X-Forwarded-For header or the X-Real-IP header (in that 16// order). 17// 18// This middleware should be inserted fairly early in the middleware stack to 19// ensure that subsequent layers (e.g., request loggers) which examine the 20// RemoteAddr will see the intended value. 21// 22// You should only use this middleware if you can trust the headers passed to 23// you (in particular, the two headers this middleware uses), for example 24// because you have placed a reverse proxy like HAProxy or nginx in front of 25// chi. If your reverse proxies are configured to pass along arbitrary header 26// values from the client, or if you use this middleware without a reverse 27// proxy, malicious clients will be able to make you very sad (or, depending on 28// how you're using RemoteAddr, vulnerable to an attack of some sort). 29func RealIP(h http.Handler) http.Handler { 30 fn := func(w http.ResponseWriter, r *http.Request) { 31 if rip := realIP(r); rip != "" { 32 r.RemoteAddr = rip 33 } 34 h.ServeHTTP(w, r) 35 } 36 37 return http.HandlerFunc(fn) 38} 39 40func realIP(r *http.Request) string { 41 var ip string 42 43 if xrip := r.Header.Get(xRealIP); xrip != "" { 44 ip = xrip 45 } else if xff := r.Header.Get(xForwardedFor); xff != "" { 46 i := strings.Index(xff, ", ") 47 if i == -1 { 48 i = len(xff) 49 } 50 ip = xff[:i] 51 } 52 53 return ip 54} 55